Phished BV undertakes to process your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (hereinafter "GDPR") and other applicable legislation.

1. The Controller

Phished BV (hereinafter referred to as 'Phished', 'we', 'us' or 'our') with registered office at Bondgenotenlaan 138, 3000 Leuven, Belgium and with registration number 0735.908.019, is the controller for the processing of your personal data for the purposes as described in this data protection policy.

2. Contact details

If you would like to contact us regarding this policy, you can do so by sending an email to our DPO: [email protected].

If you contact us because you wish to exercise one of your rights (see section 8), please clearly indicate which right you wish to exercise. Please be as specific as possible when exercising your rights.

3. The personal data we process

Depending on your role or capacity, we collect the following data:

• Customers (and their representatives): general identifiers (such as name, title/position, address, mobile phone or phone number, email, assigned identifiers), financial identifiers (such as identification and bank account numbers), financial transactions (such as amounts paid or payable), fees, professional activities (including the business, the nature of the activity, the nature of the goods/services used, business relationships), contracts and agreements with Phished, all other personal data that has been lawfully provided to Phished. The source of this personal data is you or your employer.

• Partners (and its representatives): general identifiers (such as name, title/position, address, mobile phone or telephone number, email, assigned identifiers), financial identifiers (such as identification and bank account numbers), financial transactions (such as amounts paid or payable), fees, professional activities (including the business, the nature of the activity, the nature of the goods/services used, business relationships), contracts and agreements with Phished, all other personal data that has been lawfully provided to Phished. The source of this personal data is you or your employer.

• Prospects (and their representatives): general identification data (such as name, title/position, address, mobile phone or telephone number, e-mail), professional activities (including the nature of the activity, the nature of the goods/services used, business relationships), all other personal data that has been lawfully provided to Phished. The source of this personal data is you or your employer.

• Suppliers (and their representatives): general identifiers (such as name, title/position, address, mobile phone or telephone number, email, assigned identifiers), financial identification data (such as identification and bank account numbers), financial transactions (such as amounts paid or payable), fees, professional activities (including the nature of the activity, the nature of the goods/services used), contracts and agreements with Phished, all other personal data that has been lawfully provided to Phished. The source of this personal data is you or your employer.

• Job applicants: all personal data that has been lawfully provided to Phished (such as a CV and/or cover letter);

• Website visitors: personal data collected via cookies (see our cookie policy);

• Social media users: advertising through the personal data users provide via social media channels.

In the performance of its activities, Phished can also act as a processor of your personal data (for example, when sending a phishing simulation to a target group specified by our customer). In this case, the processing of personal data by Phished, as a processor, is part of the agreements between Phished and the controller(s)/our customer. These processing activities are not included in this privacy policy. In this context, we refer to the privacy policy for end users.

If you provide us with personal data from a third party, such as your staff, freelancers, customers, suppliers, partners, you guarantee to Phished that you (a) have lawfully obtained such personal data from the third party and have lawfully provided it to Phished, (b) have provided Phished with personal data that is accurate and up-to-date and (c) have provided the said person with relevant information about the existence and content of this policy.

4. Purposes

You are not obliged to share your personal data with us, but if you do not share the requested personal data with us, we may not be able to provide you with the requested services and/or products. We process the personal data for the following purposes:

• 4.1. Execution of the agreement: the creation of a personal account and/or profile, the correct execution and fulfilment of the agreements (including communications), invoicing, customer service and support (so that we can help you with questions and/or problems).
• 4.2 Purchases via website: the correct execution of and compliance with the agreements regarding purchases via the website (including communications), the processing of orders and any after-sales service, invoicing.
• 4.3 Direct marketing: the sending notifications via email and/or newsletters. If you no longer wish to receive these messages, you can use the opt-out provided. After that, you will no longer receive the unsolicited direct marketing messages and we will no longer process your personal data for these direct marketing purposes.
• 4.4. Applicant Management: to assess applicants' suitability for open positions, for recruitment, selection and, where applicable, the drafting of an employment contract.
• 4.5. Necessary for the functioning of our company: to improve and optimize our services (e.g. by means of cookies and advertisements via social media), to maintain and improve the website (e.g. by means of cookies), to ensure the security of our website and services, to prevent misuse or improper use of our services, to store personal data as evidence or for the purpose of legal proceedings, administrative or out-of-court procedures, to store personal data for the purpose of obtaining or maintaining insurance coverage, managing risks or seeking expert advice, to store personal data to ensure attendance at / participation in events.
• 4.6. To comply with legal obligations (e.g. in relation to anti-money laundering and counter-terrorism legislation).

5. Lawful basis for the processing activities

The processing of personal data under sections 4.1 and 4.2 is based on the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract.

The processing of personal data of prospects under section 4.3 and the processing of personal data by means of cookies (other than strictly necessary and functional cookies) under section 4.5 is based on the consent of the data subject.

The processing of customer personal data under Section 4.3 and for the first contact with prospects, as well as the other processing of personal data under Sections 4.4 and 4.5 is based on our legitimate interests (only when the legitimate interest of our business overrides the interests of the data subjects). The interests are set out in sections 4.3 - 4.5.

The processing of personal data under section 4.6 is necessary for compliance with a legal obligation to which we are subject.

6. Sharing your personal data with third parties/international transfers

We only provide relevant aspects of personal data to third parties if those parties are contractually bound to Phished or act on behalf of or under contract with Phished. Of course, we have made agreements with these parties about the protection of your personal data.

Phished may disclose personal data when this is necessary to comply with a legal obligation to which we are subject, or to protect (vital) interests. We may also disclose the personal data when such disclosure is necessary for the establishment, exercise or defence of legal claims, in legal proceedings or in administrative or out-of-court proceedings.

We do not provide personal data to companies outside the European Economic Area, unless there is an adequacy decision or standard clauses, appropriate safeguards, binding corporate rules or exchanges as referred to in Article 49 (1) GDPR.

In the event of a total or partial reorganization, merger, demerger, acquisition or sale of assets, we are entitled to transfer personal data to the relevant third party.

You accept that personal data that you submit for publication through our website or services may be available worldwide via the Internet. We cannot prevent the use (or misuse) of such personal information by others.

7. Storage and deletion of personal data

We only retain personal data for as long as necessary to achieve the purpose set out above. Because the retention period depends on the purpose, but also on the type of personal data, these retention periods vary.

8. Your data protection rights

Your requests regarding the exercise of your data protection rights should be addressed to [email protected].

For your informational purposes and for the sake of clarity, we have summarised your rights under the GDPR in this section. Because some of these rights are complex, not all of the details are included in this summary. Therefore, you can read the relevant laws and regulations for a full explanation of these rights or contact the Data Controller.

In order to exercise your rights, you must also provide sufficient proof of your identity. In this context, we recommend that you attach a secure copy of your personal data to your request. A protected copy involves blurring all non-essential information and adding a watermark. This watermark should include the purpose of the copy, the recipient, and the date of issue. The only information necessary is your name (so all other information can be blurred).

• Right of access: you have the right to be informed about whether your personal data is being processed by us, and, if so, to access the personal data, together with the additional information mentioned in Article 15 of the GDPR. If the protection of the rights and freedoms of others is not affected, we will provide you with a copy of your personal data.
• Right to rectification: you have the right to have inaccurate and/or incomplete personal data corrected and/or completed.
• Right to erasure: You have the right to have your personal data erased in the circumstances mentioned in Article 17 (1) GDPR, such as when you withdraw your consent to consent-based processing or object to processing for direct marketing purposes.
  Phished will then delete your personal data without undue delay, unless the exclusions mentioned in Article 17 (3) GDPR apply. For example, Phished does not have to delete your data if the processing is necessary to comply with a legal obligation.
• Right to restriction of processing: you have the right to restrict the processing of your personal data in the circumstances mentioned in Article 18 (1) GDPR, such as if you contest the accuracy of the personal data.
• Right to data portability: You have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format and to transmit such data to another controller if (a) the processing is based on consent or is necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into a data contract, and (b) such processing is automated. However, this right does not apply if it would harm the rights and freedoms of others.
• Right to withdraw consent: insofar as the processing ground for the processing of your personal data by Phished is based on consent, you have the right to withdraw this consent at any time. The withdrawal of consent does not affect the lawfulness of the processing prior to its withdrawal.
  
• Right to lodge a complaint with the supervisory authority: we always encourage you to forward any questions, comments or complaints you may have regarding the processing of your personal data in accordance with section 8. In any case, and in particular if you do not agree with Phished's position regarding a complaint/request or the way in which your request was handled (for example, if you believe that our processing of your personal data violates data protection legislation or if you have comments about the use of your personal data), you have the right to the right to lodge a complaint with the competent supervisory authority, including the Belgian Data Protection Authority (online or by sending a letter to the Data Protection Authority with address Drukpersstraat 35, 1000 Brussels).
• Right to object to processing: You have the right to object to the processing of your personal data by Phished for direct marketing purposes at any time. You can do this via the 'opt-out' option. After that, you will no longer receive the unsolicited direct marketing messages, and we will no longer process your personal data for these direct marketing purposes. If the processing of your personal data is necessary for another purpose, you may of course still receive communications in the context of this purpose.
  You also have the right to object to the processing of your personal data by Phished based on Article 6 (e) or (f) GDPR on grounds related to your situation. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate/lawful grounds for the processing which override your interests, rights and freedoms, or the processing is necessary to establish, exercise or defend legal claims.

In addition, you have the right to object to our processing of your personal data for scientific, historical or statistical (research) purposes on grounds relating to your situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

9. Cookies

You can read more about our use of cookies at the following link.

10. Updates

Phished reserves the right to make changes and/or updates to this privacy policy to take into account technological advancements, changes in laws and regulations and good business practices.

-> PRIVACY POLICY FOR END USERS

Phished BV (hereinafter “Phished” , “we”, “us” or “our”) is committed to processing your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 (hereinafter “GDPR”) and other applicable legislation.

Phished will process your personal data for and on behalf of its customer, the organisation who will be using our services. Phished therefore qualifies as the processor of your personal data; and the customer qualifies as the controller

The controller may have its own privacy policy regarding the processing of your personal data by Phished, in which case these policies should be read together. In case of contradiction, the policy of the Controller prevails (as certain specific agreements may have been made with the Controller).

1. The controller

Your organisation (hereinafter “the Controller” or “the Customer”) appointed you as part of the target audience for the performance of the following services (hereinafter “Services”) by Phished:

• performing simulated phishing attacks on the logged employees of the Customer (in its broadest sense, hereinafter “Employees”) (and systems of the Customer);
• training the Employees by means of e-learning;
• the automatic delivery (via web portal) of detailed reports regarding the results hereof.

The Customer and Phished have concluded an agreement on the performance of these Services.

2. The processor

Phished BV with registered office at Bondgenotenlaan 138, 3000 Leuven, Belgium and registered number 0735.908.019, is the processor for the processing of your personal data in order to execute the Services.

3. Contact

In case you want to contact us regarding this policy, you can contact us via mail to our DPO: [email protected].

If you want to exercise one of your rights (see section 8), we kindly request to contact the Customer.

4. The personal data we process

We process the following of your personal data:

• name
• email address;
• language;
• position at the company;
• open/click/report behaviour and results.

Optional :

• department within the company;
• location within and/or of the company;
• mobile phone or telephone number.
• E-mail data (see below) (depending on settings in the Phished account).

This data is provided to us by the Customer, who (a) lawfully obtained such personal data from you and lawfully provided it to Phished, (b) provided Phished with personal data that is accurate and up to date, and (c) will provide you with relevant information about the processing activities.

5. Purposes

We process the personal data because it is necessary for the performance of the Services. In this regard we process your personal data for the following purposes on behalf of the Customer:

• making the Phished software available in accordance with the agreements between Phished and the Customer (including, but not limited to, creating a recipient account for you and ensuring the proper functioning of the Phished software);
• increasing the awareness level of the dangers of phishing via the Phished software and tracking the users of the software, including (but not limited to):
  • sending and receiving communications via email, text or voice message (depending on the settings) (e.g. notification of phishing simulation or a suspected real phishing e-mail).
    • These do not constitute direct marketing. Nevertheless, if you no longer wish to receive these communications, please contact the Customer, who may give its permission to stop these communications. However, we do not recommend this as you will no longer benefit from our training and the Customer benefits best from training when as many of its Employees as possible are participating.
    • If the Customer chose the option “handle reports in application” or “handle reports in application & forward reports to email” in the Phished account and possible phishing e-mails are reported:
      • via the Phished Report Button in Gmail: Phished will only process Gmail message bodies (incl. attachments), metadata, headers and settings, to identify a mail as a phishing simulation from Phished or as a potential phishing threat when reported via the Phished Report Button. This data is encrypted and the processing will also adhere to the Google API Services User Data Policy (Policy), incl. Limited Use requirements.
      • via the Phished Report Button in Outlook: Phished will only process Outlook message bodies (incl. attachments), metadata, headers and language settings, to identify a mail as a phishing simulation from Phished or as a potential phishing threat when reported via the Phished Report Button. This data is encrypted.
      • by forwarding them: Phished will only process the message bodies (incl. attachments) and headers to identify a mail as a phishing simulation from Phished or as a potential phishing threat when forwarded. This data is encrypted.
    • If the Customer chose the option “forward reports to email” in the Phished account and possible phishing e-mails are reported to Phished via the Phished Report Button in Gmail or Outlook or by forwarding, Phished will not process these e-mails..
  • organizing continuous performance management: keeping track of personal objectives, 1on1s and feedback for you.
  • measuring engagement on a continuous basis via the Phished Academy, using e.g. either PHISHED’s set of questions or a self-chosen set of questions.
  • storage of phishing results.
  • keeping phishing results available for the Customer via statistics.
  • adjustments of the phishing simulations.

Phished will not process your personal data for any other purpose than for the performance of the Services and/or for the fulfilment of the responsibilities laid down in the agreement entered into between Phished and the Customer. Phished will only process your personal data on behalf of the Customer and in accordance with the documented instructions of the Customer.

6. Sharing the personal data with others/international transfers

We only disclose relevant aspects of personal data to third parties if those parties are contractually bound to Phished or act on behalf of or under contract to Phished. Naturally, we have made agreements with these parties regarding the protection of your personal data.

Phished may disclose personal data when such disclosure is necessary to comply with a legal obligation to which we are subject, or to protect (vital) interests. We may also disclose the personal data when such disclosure is necessary to establish, exercise or defend legal claims, in court proceedings or in administrative or extra-judicial proceedings.

We do not provide personal data to companies outside the European Economic Area, unless there is an adequacy decision, standard provisions, appropriate safeguards, binding corporate rules or transfers referred to in Article 49 (1) GDPR.

In the event of a full or partial reorganisation, merger, demerger, acquisition or sale of assets, we are entitled to transfer the personal data to the relevant third party.

7. Storage and deletion of personal data

The personal data will be retained for the duration of the contract between Phished and the Customer and they will be deleted through e.g. anonymization, after 6 months of inactivity following termination of this contract. Unless otherwise agreed upon between Phished and the Customer, we are allowed to further use anonymized aggregated data, which does not constitute personal data, to improve our services.

In any case, you, as a data subject, or the Customer may contact us at any time regarding a request to anonymize or delete certain personal data (for example if you are no longer working for the Customer).

8. Your data protection rights

Your requests regarding the exercise of your data protection rights should be addressed to the Data Controller, who is responsible for handling this request. These will not be handled by Phished under any circumstances, unless we’ve been explicitly instructed by the Controller.

For your information and clarity, we have summarised your rights under the GDPR in this section. Because some of these rights are complex, not all of the details are included in this summary. Therefore, you can read the relevant laws and regulations for a full explanation of these rights or contact the Data Controller.

To exercise your rights, you must provide sufficient proof of your identity. In this context, we recommend that you attach a secure copy of your personal data to your request. A protected copy involves blurring all non-essential information and adding a watermark. This watermark should include the purpose of the copy, the recipient, and the date of issue. The only information necessary is your name (so all other information can be blurred).

• Right of access and a copy of your personal data: you have the right to be informed about whether your personal data is being processed by the Data Controller and, if so, to access this personal data, together with the additional information mentioned in Article 15 of the GDPR. If the protection of the rights and freedoms of others is not affected, the Data Controller will provide you with a copy of your personal data.
  
  If you request a copy of the data of your data processed by Phished, you must address this request to your Controller. We inform you that, if we receive your request via the Data Controller, we can only provide a copy of the following personal data:
  Your name;
  Your e-mail address;
  The unique number associated with your user account (UID).
  
  All other categories of personal data (see above) are encrypted for Phished (where the encryption key is managed by a third party). Therefore, we cannot reasonably provide you with a copy of this data. However, the Controller can provide a copy of this.
  
  This is part of the principle of 'Security by Design', as our platform is structured in such a way that the personal data that Phished can consult is limited to what is strictly necessary.

• Right to rectification: you have the right to have incorrect and/or incomplete personal data corrected and/or supplemented.
  
• Right to erasure: you have the right to have your personal data erased in the circumstances mentioned in Article 17(1) of the GDPR, such as when you withdraw your consent to processing based on consent.
  
  Please note that your personal data has not been collected for the use of the Services by the Data Controller based on your consent, but based on their legitimate interest.
  
• Right to restriction of processing: you have the right to restrict the processing of your personal data in the circumstances set out in Article 18(1) GDPR, for example in the event that you contest the accuracy of the personal data.
  
• Right to data portability: you have the right to receive the personal data concerning you that you have provided to the Data Controller in a structured, commonly used and machine-readable format and to transmit this data to another Data Controller if (a) the processing is based on consent or is necessary for the performance of a contract to which you are a party or to take steps at your request. prior to entering into a contract, and (b) this processing is automated. However, this right does not apply where it would harm the rights and freedoms of others.
  
  In the admin manual, which is made available by Phished to the Controller, the Controller can find for which data such an export is possible.
  
• Right to withdraw consent: To the extent that the lawful basis for the processing of your personal data is consent, you have the right to withdraw this consent at any time. The withdrawal of consent does not affect the lawfulness of the processing prior to its withdrawal.
  
• Right to file a complaint with the supervisory authority: we always encourage you to forward any questions, comments or complaints you may have regarding the processing of your personal data to your Data Controller. In any case, in particular if you do not agree with the position of your Controller and/or Phished in response to a complaint/request or the way in which your request was handled by (for example, if you believe that our processing of your personal data violates data protection legislation or if you have comments about the use of your personal data), the right to lodge a complaint with the competent supervisory authority, including the Belgian Data Protection Authority (online or by sending a letter to the Data Protection Authority with address Drukpersstraat 35, 1000 Brussels).
  
• Right to object to processing: You have the right to object to the processing of your personal data for direct marketing purposes at any time, as long as the exclusions mentioned in Article 17(3) GDPR do not apply (for example, if the processing is necessary to comply with a legal obligation).

You also have the right to object to the processing of your personal data based on Article 6 (e) or (f) GDPR on grounds relating to your particular situation. In addition, you have the right to object to the processing of your personal data for scientific, historical or statistical (research) purposes on grounds relating to your particular situation.

9. Cookies

You can read more about our use of cookies via the following link.

10. Updates

Phished reserves the right to make changes and/or updates to this Data Protection Policy to take into account technological advancements, changes in laws and regulations and good business practices.